Completed Project : Alert Correlation

Alert correlation is a process that takes as input the alerts produced by one or more intrusion detection sensors and provides a more succinct and high-level view of occurring or attempted intrusions. The main objective is to produce intrusion reports that capture a high-level view of the activity on the network without losing security-relevant information.

Overview

With the large volume of alerts produced by low-level detectors, management of intrusion alerts is becoming more challenging. Manual analysis of this large number of raw alerts is both time consuming and labor intensive. Alert Correlation addresses this issue by finding similarity and causality relationships between raw alerts to provide a condensed, yet more meaningful view of the network from the intrusion standpoint. Previous learning-based approaches either fail to cope with a large number of generated alerts in a large-scale network or do not address the problem of concept drift directly. Our approach to aggregation provides a reduced view of developed patterns of alerts. At the core of the proposed framework is a new algorithm for mining correlated patterns of single-step attacks.

Related Publications

Reza Sadoddin and Ali A. Ghorbani. Real-time Alert Correlation Using Stream Data Mining Techniques. In Proceedings of Innovative Applications of Artificial Intelligence (IAAI), pages 1731-1737, 2008.

Mahboobeh Soleimani and Ali A. Ghorbani. Critical Episode Mining in Intrusion Detection Alerts. In Proceedings of Sixth Annual Conference on Communication Networks and Services Research (CNSR), pages 157-164, 2008.

Bin Zhu and Ali A. Ghorbani. Alert Correlation for Extracting Attack Strategies. International Journal of Network Security, 3(3):244-258, 2006.

Reza Sadoddin and Ali A. Ghorbani. Alert Correlation Survey : Framework and Techniques. In Proceedings of the 4th Annual Conference on Privacy, Security and Trust (PST), pages 6-15, 2006.